Network Intrusion: NIDS and Detection

Network intrusions—any unauthorized activity on a computer network—utilize network resources that can be better used for other, authorized, purposes. They threaten the security of the network and data.

There are a variety of ways to detect an intrusion, including monitoring network logs, sniffing network traffic, and real-time filtering for specific network events. At a minimum, network security systems should respond to any intrusion by logging the event and alerting the security team.

In most cases, Automated Network Intrusion Detection Systems (NIDS) are programmed to turn over all detected intrusions to specialist teams. NIDS can make errors—false positives—and if the system could automatically respond, it could inconvenience legitimate network users and wreak havoc. It’s also worth noting that some intrusions may be benign and would not need to trigger a shutdown. Human judgment is still the best method for determining whether a network intrusion requires action.

Session sniping or knockdown is a common response to a network intrusion. Security personnel attempt to sever all communications between the network intruder and the network. One way is to create new TCP/IP data packets that trigger a reset of the connection between the intruder and other network resources. This requires quick action and detailed analysis of the packets already being exchanged. Defenders can also disconnect the session. Resets don't work when network intruders use the User Datagram Protocol (UDP). But Internet Control Message Protocol (ICMP) error messaging tells the intruder that one or more elements of the network is no longer available. This can, but doesn't always, cause the intruder to give up and go away.

Another common response is called Network Shunning, where any hosts identified as intruders are denied network access Methods include denying access at a target host, at the network's single controlled access point, and at the point of access to individual hosts, sub-networks, or service connectivity. But an intruder who recognizes the shunning response may send forged packets that also result in service denials to legitimate network users.

Then there is Network Redirection. When intruders are detected or even suspected, it's sometimes effective to route their packets through additional security systems, or to a special part of the network called a "honeypot." A honeypot looks normal to intruders, but is totally isolated for sensitive data and fully monitored. Security personnel can then monitor the intrusion and study its techniques to better prepare for such intrusions in the future. And finally, there is Network Cleanup. Rather than block a network intruder, some security teams prefer to scan the network for well-understood attack vectors and disarm them before they can be triggered. For example, if an intruder places ".eml" files on a network in hopes that innocent users will open them and release active malware, security personnel can simply delete all such files on compromised elements of the network.

One problem in defending against network intrusions, however, is that a great deal of damage can be done before security personnel are alerted. This eliminates their ability to study and understand the attack, and then trigger appropriate responses and countermeasures. This is why many security experts emphasize improving the automated capabilities of NIDS to operate successfully without human intervention.